首先利用系统sysctl的配置进行防御:

由于系统已经自带一个conf及已经包涵部分安全建议提示,代码行只显示后续增加的变量修改

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_max_syn_backlog=2048
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_keepalive_time=3600
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_sack=1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
fs.file-max = 65535
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1Code language: PHP (php)

利用iptables限制syn:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

Code language: PHP (php)
分类: Linux安全

0 条评论

发表回复

Avatar placeholder

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据